package org.apache.kafka.metadata.authorizer;

import java.util.ArrayList;
import java.util.Collections;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.NavigableSet;
import java.util.Set;
import java.util.TreeSet;
import org.apache.kafka.common.Uuid;
import org.apache.kafka.common.acl.AclBinding;
import org.apache.kafka.common.acl.AclBindingFilter;
import org.apache.kafka.common.acl.AclOperation;
import org.apache.kafka.common.acl.AclPermissionType;
import org.apache.kafka.common.errors.AuthorizerNotReadyException;
import org.apache.kafka.common.protocol.ApiKeys;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.resource.ResourcePattern;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.LogContext;
import org.apache.kafka.common.utils.SecurityUtils;
import org.apache.kafka.common.utils.Utils;
import org.apache.kafka.server.authorizer.Action;
import org.apache.kafka.server.authorizer.AuthorizableRequestContext;
import org.apache.kafka.server.authorizer.AuthorizationResult;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/kafka/metadata/authorizer/StandardAuthorizerData.class */
public class StandardAuthorizerData {
    public static final String WILDCARD_PRINCIPAL = "User:*";
    final Logger log;
    final Logger auditLog = auditLogger();
    final AclMutator aclMutator;
    final boolean loadingComplete;
    private final Set<String> superUsers;
    private final DefaultRule defaultRule;
    private final TreeSet<StandardAcl> aclsByResource;
    private final HashMap<Uuid, StandardAcl> aclsById;
    public static final String WILDCARD = "*";
    public static final KafkaPrincipal WILDCARD_KAFKA_PRINCIPAL = new KafkaPrincipal("User", WILDCARD);
    private static final Set<AclOperation> IMPLIES_DESCRIBE = Collections.unmodifiableSet(EnumSet.of(AclOperation.DESCRIBE, AclOperation.READ, AclOperation.WRITE, AclOperation.DELETE, AclOperation.ALTER));
    private static final Set<AclOperation> IMPLIES_DESCRIBE_CONFIGS = Collections.unmodifiableSet(EnumSet.of(AclOperation.DESCRIBE_CONFIGS, AclOperation.ALTER_CONFIGS));

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apache.kafka.metadata.authorizer.StandardAuthorizerData$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/kafka/metadata/authorizer/StandardAuthorizerData$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$kafka$server$authorizer$AuthorizationResult;
        static final /* synthetic */ int[] $SwitchMap$org$apache$kafka$common$acl$AclOperation = new int[AclOperation.values().length];

        static {
            try {
                $SwitchMap$org$apache$kafka$common$acl$AclOperation[AclOperation.DESCRIBE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$acl$AclOperation[AclOperation.DESCRIBE_CONFIGS.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            $SwitchMap$org$apache$kafka$server$authorizer$AuthorizationResult = new int[AuthorizationResult.values().length];
            try {
                $SwitchMap$org$apache$kafka$server$authorizer$AuthorizationResult[AuthorizationResult.ALLOWED.ordinal()] = 1;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$apache$kafka$server$authorizer$AuthorizationResult[AuthorizationResult.DENIED.ordinal()] = 2;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    /* loaded from: input_file:org/apache/kafka/metadata/authorizer/StandardAuthorizerData$DefaultRule.class */
    private static class DefaultRule implements MatchingRule {
        private final AuthorizationResult result;

        private DefaultRule(AuthorizationResult authorizationResult) {
            this.result = authorizationResult;
        }

        @Override // org.apache.kafka.metadata.authorizer.StandardAuthorizerData.MatchingRule
        public AuthorizationResult result() {
            return this.result;
        }

        public String toString() {
            return this.result == AuthorizationResult.ALLOWED ? "DefaultAllow" : "DefaultDeny";
        }

        /* synthetic */ DefaultRule(AuthorizationResult authorizationResult, AnonymousClass1 anonymousClass1) {
            this(authorizationResult);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/kafka/metadata/authorizer/StandardAuthorizerData$MatchingAclBuilder.class */
    public static class MatchingAclBuilder {
        private StandardAcl denyAcl;
        private StandardAcl allowAcl;

        private MatchingAclBuilder() {
        }

        boolean foundDeny() {
            return this.denyAcl != null;
        }

        MatchingAclRule build() {
            if (this.denyAcl != null) {
                return new MatchingAclRule(this.denyAcl, AuthorizationResult.DENIED, null);
            }
            if (this.allowAcl != null) {
                return new MatchingAclRule(this.allowAcl, AuthorizationResult.ALLOWED, null);
            }
            return null;
        }

        /* synthetic */ MatchingAclBuilder(AnonymousClass1 anonymousClass1) {
            this();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/kafka/metadata/authorizer/StandardAuthorizerData$MatchingAclRule.class */
    public static class MatchingAclRule implements MatchingRule {
        private final StandardAcl acl;
        private final AuthorizationResult result;

        private MatchingAclRule(StandardAcl standardAcl, AuthorizationResult authorizationResult) {
            this.acl = standardAcl;
            this.result = authorizationResult;
        }

        @Override // org.apache.kafka.metadata.authorizer.StandardAuthorizerData.MatchingRule
        public AuthorizationResult result() {
            return this.result;
        }

        public String toString() {
            return "MatchingAcl(acl=" + this.acl + ")";
        }

        /* synthetic */ MatchingAclRule(StandardAcl standardAcl, AuthorizationResult authorizationResult, AnonymousClass1 anonymousClass1) {
            this(standardAcl, authorizationResult);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/kafka/metadata/authorizer/StandardAuthorizerData$MatchingRule.class */
    public interface MatchingRule {
        AuthorizationResult result();
    }

    /* loaded from: input_file:org/apache/kafka/metadata/authorizer/StandardAuthorizerData$SuperUserRule.class */
    private static class SuperUserRule implements MatchingRule {
        private static final SuperUserRule INSTANCE = new SuperUserRule();

        private SuperUserRule() {
        }

        @Override // org.apache.kafka.metadata.authorizer.StandardAuthorizerData.MatchingRule
        public AuthorizationResult result() {
            return AuthorizationResult.ALLOWED;
        }

        public String toString() {
            return "SuperUser";
        }
    }

    private static Logger createLogger(int i) {
        return new LogContext("[StandardAuthorizer " + i + "] ").logger(StandardAuthorizerData.class);
    }

    private static Logger auditLogger() {
        return LoggerFactory.getLogger("kafka.authorizer.logger");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static StandardAuthorizerData createEmpty() {
        return new StandardAuthorizerData(createLogger(-1), null, false, Collections.emptySet(), AuthorizationResult.DENIED, new TreeSet(), new HashMap());
    }

    private StandardAuthorizerData(Logger logger, AclMutator aclMutator, boolean z, Set<String> set, AuthorizationResult authorizationResult, TreeSet<StandardAcl> treeSet, HashMap<Uuid, StandardAcl> hashMap) {
        this.log = logger;
        this.aclMutator = aclMutator;
        this.loadingComplete = z;
        this.superUsers = set;
        this.defaultRule = new DefaultRule(authorizationResult, null);
        this.aclsByResource = treeSet;
        this.aclsById = hashMap;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public StandardAuthorizerData copyWithNewAclMutator(AclMutator aclMutator) {
        return new StandardAuthorizerData(this.log, aclMutator, this.loadingComplete, this.superUsers, this.defaultRule.result, this.aclsByResource, this.aclsById);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public StandardAuthorizerData copyWithNewLoadingComplete(boolean z) {
        return new StandardAuthorizerData(this.log, this.aclMutator, z, this.superUsers, this.defaultRule.result, this.aclsByResource, this.aclsById);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public StandardAuthorizerData copyWithNewConfig(int i, Set<String> set, AuthorizationResult authorizationResult) {
        return new StandardAuthorizerData(createLogger(i), this.aclMutator, this.loadingComplete, set, authorizationResult, this.aclsByResource, this.aclsById);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public StandardAuthorizerData copyWithNewAcls(TreeSet<StandardAcl> treeSet, HashMap<Uuid, StandardAcl> hashMap) {
        StandardAuthorizerData standardAuthorizerData = new StandardAuthorizerData(this.log, this.aclMutator, this.loadingComplete, this.superUsers, this.defaultRule.result, treeSet, hashMap);
        this.log.info("Initialized with {} acl(s).", Integer.valueOf(hashMap.size()));
        return standardAuthorizerData;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void addAcl(Uuid uuid, StandardAcl standardAcl) {
        try {
            if (this.aclsById.putIfAbsent(uuid, standardAcl) != null) {
                throw new RuntimeException("An ACL with ID " + uuid + " already exists.");
            }
            if (this.aclsByResource.add(standardAcl)) {
                this.log.trace("Added ACL {}: {}", uuid, standardAcl);
            } else {
                this.aclsById.remove(uuid);
                throw new RuntimeException("Unable to add the ACL with ID " + uuid + " to aclsByResource");
            }
        } catch (Throwable th) {
            this.log.error("addAcl error", th);
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void removeAcl(Uuid uuid) {
        try {
            StandardAcl remove = this.aclsById.remove(uuid);
            if (remove == null) {
                throw new RuntimeException("ID " + uuid + " not found in aclsById.");
            }
            if (!this.aclsByResource.remove(remove)) {
                throw new RuntimeException("Unable to remove the ACL with ID " + uuid + " from aclsByResource");
            }
            this.log.trace("Removed ACL {}: {}", uuid, remove);
        } catch (Throwable th) {
            this.log.error("removeAcl error", th);
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Set<String> superUsers() {
        return this.superUsers;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthorizationResult defaultResult() {
        return this.defaultRule.result;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public int aclCount() {
        return this.aclsById.size();
    }

    public AuthorizationResult authorize(AuthorizableRequestContext authorizableRequestContext, Action action) {
        MatchingRule matchingRule;
        KafkaPrincipal baseKafkaPrincipal = baseKafkaPrincipal(authorizableRequestContext);
        if (this.superUsers.contains(baseKafkaPrincipal.toString())) {
            matchingRule = SuperUserRule.INSTANCE;
        } else {
            if (!this.loadingComplete) {
                throw new AuthorizerNotReadyException();
            }
            MatchingAclRule findAclRule = findAclRule(matchingPrincipals(authorizableRequestContext), authorizableRequestContext.clientAddress().getHostAddress(), action);
            matchingRule = findAclRule != null ? findAclRule : this.defaultRule;
        }
        logAuditMessage(baseKafkaPrincipal, authorizableRequestContext, action, matchingRule);
        return matchingRule.result();
    }

    private String buildAuditMessage(KafkaPrincipal kafkaPrincipal, AuthorizableRequestContext authorizableRequestContext, Action action, MatchingRule matchingRule) {
        StringBuilder sb = new StringBuilder();
        sb.append("Principal = ").append(kafkaPrincipal);
        sb.append(" is ").append(matchingRule.result() == AuthorizationResult.ALLOWED ? "Allowed" : "Denied");
        sb.append(" operation = ").append(action.operation());
        sb.append(" from host = ").append(authorizableRequestContext.clientAddress().getHostAddress());
        sb.append(" on resource = ");
        appendResourcePattern(action.resourcePattern(), sb);
        sb.append(" for request = ").append(ApiKeys.forId(authorizableRequestContext.requestType()).name);
        sb.append(" with resourceRefCount = ").append(action.resourceReferenceCount());
        sb.append(" based on rule ").append(matchingRule);
        return sb.toString();
    }

    private void appendResourcePattern(ResourcePattern resourcePattern, StringBuilder sb) {
        sb.append(SecurityUtils.resourceTypeName(resourcePattern.resourceType())).append(":").append(resourcePattern.patternType()).append(":").append(resourcePattern.name());
    }

    private void logAuditMessage(KafkaPrincipal kafkaPrincipal, AuthorizableRequestContext authorizableRequestContext, Action action, MatchingRule matchingRule) {
        switch (AnonymousClass1.$SwitchMap$org$apache$kafka$server$authorizer$AuthorizationResult[matchingRule.result().ordinal()]) {
            case 1:
                if (action.logIfAllowed() && this.auditLog.isDebugEnabled()) {
                    this.auditLog.debug(buildAuditMessage(kafkaPrincipal, authorizableRequestContext, action, matchingRule));
                    return;
                } else {
                    if (this.auditLog.isTraceEnabled()) {
                        this.auditLog.trace(buildAuditMessage(kafkaPrincipal, authorizableRequestContext, action, matchingRule));
                        return;
                    }
                    return;
                }
            case 2:
                if (action.logIfDenied()) {
                    this.auditLog.info(buildAuditMessage(kafkaPrincipal, authorizableRequestContext, action, matchingRule));
                    return;
                } else {
                    if (this.auditLog.isTraceEnabled()) {
                        this.auditLog.trace(buildAuditMessage(kafkaPrincipal, authorizableRequestContext, action, matchingRule));
                        return;
                    }
                    return;
                }
            default:
                return;
        }
    }

    private MatchingAclRule findAclRule(Set<KafkaPrincipal> set, String str, Action action) {
        MatchingAclBuilder matchingAclBuilder = new MatchingAclBuilder(null);
        checkSection(action, new StandardAcl(action.resourcePattern().resourceType(), action.resourcePattern().name(), PatternType.UNKNOWN, "", "", AclOperation.UNKNOWN, AclPermissionType.UNKNOWN), set, str, matchingAclBuilder);
        if (matchingAclBuilder.foundDeny()) {
            return matchingAclBuilder.build();
        }
        checkSection(action, new StandardAcl(action.resourcePattern().resourceType(), WILDCARD, PatternType.LITERAL, "", "", AclOperation.UNKNOWN, AclPermissionType.UNKNOWN), set, str, matchingAclBuilder);
        return matchingAclBuilder.build();
    }

    private void checkSection(Action action, StandardAcl standardAcl, Set<KafkaPrincipal> set, String str, MatchingAclBuilder matchingAclBuilder) {
        NavigableSet<StandardAcl> tailSet = this.aclsByResource.tailSet(standardAcl, true);
        String name = action.resourcePattern().name();
        for (StandardAcl standardAcl2 : tailSet) {
            if (!standardAcl2.resourceType().equals(action.resourcePattern().resourceType())) {
                return;
            }
            if (name.startsWith(standardAcl2.resourceName())) {
                if (standardAcl2.patternType() == PatternType.LITERAL && !name.equals(standardAcl2.resourceName())) {
                }
            } else if (!standardAcl2.resourceName().equals(WILDCARD) || standardAcl2.patternType() != PatternType.LITERAL) {
                return;
            }
            AuthorizationResult findResult = findResult(action, set, str, standardAcl2);
            if (AuthorizationResult.ALLOWED == findResult) {
                matchingAclBuilder.allowAcl = standardAcl2;
            } else if (AuthorizationResult.DENIED == findResult) {
                matchingAclBuilder.denyAcl = standardAcl2;
                return;
            }
        }
    }

    static AuthorizationResult findResult(Action action, AuthorizableRequestContext authorizableRequestContext, StandardAcl standardAcl) {
        return findResult(action, matchingPrincipals(authorizableRequestContext), authorizableRequestContext.clientAddress().getHostAddress(), standardAcl);
    }

    static KafkaPrincipal baseKafkaPrincipal(AuthorizableRequestContext authorizableRequestContext) {
        KafkaPrincipal principal = authorizableRequestContext.principal();
        return principal.getClass().equals(KafkaPrincipal.class) ? principal : new KafkaPrincipal(principal.getPrincipalType(), principal.getName());
    }

    static Set<KafkaPrincipal> matchingPrincipals(AuthorizableRequestContext authorizableRequestContext) {
        KafkaPrincipal principal = authorizableRequestContext.principal();
        return Utils.mkSet(new KafkaPrincipal[]{principal.getClass().equals(KafkaPrincipal.class) ? principal : new KafkaPrincipal(principal.getPrincipalType(), principal.getName()), WILDCARD_KAFKA_PRINCIPAL});
    }

    static AuthorizationResult findResult(Action action, Set<KafkaPrincipal> set, String str, StandardAcl standardAcl) {
        if (!set.contains(standardAcl.kafkaPrincipal())) {
            return null;
        }
        if (!standardAcl.host().equals(WILDCARD) && !standardAcl.host().equals(str)) {
            return null;
        }
        if (standardAcl.operation() != AclOperation.ALL) {
            if (standardAcl.permissionType().equals(AclPermissionType.ALLOW)) {
                switch (AnonymousClass1.$SwitchMap$org$apache$kafka$common$acl$AclOperation[action.operation().ordinal()]) {
                    case 1:
                        if (!IMPLIES_DESCRIBE.contains(standardAcl.operation())) {
                            return null;
                        }
                        break;
                    case 2:
                        if (!IMPLIES_DESCRIBE_CONFIGS.contains(standardAcl.operation())) {
                            return null;
                        }
                        break;
                    default:
                        if (action.operation() != standardAcl.operation()) {
                            return null;
                        }
                        break;
                }
            } else if (action.operation() != standardAcl.operation()) {
                return null;
            }
        }
        return standardAcl.permissionType().equals(AclPermissionType.ALLOW) ? AuthorizationResult.ALLOWED : AuthorizationResult.DENIED;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Iterable<AclBinding> acls(AclBindingFilter aclBindingFilter) {
        ArrayList arrayList = new ArrayList();
        this.aclsByResource.forEach(standardAcl -> {
            AclBinding binding = standardAcl.toBinding();
            if (aclBindingFilter.matches(binding)) {
                arrayList.add(binding);
            }
        });
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public TreeSet<StandardAcl> getAclsByResource() {
        return this.aclsByResource;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public HashMap<Uuid, StandardAcl> getAclsById() {
        return this.aclsById;
    }
}
